rule APT_Donot_Downloader_May_2021_1 {
   meta:
        description = "Detect the trojan downloader used by Donot group"
        author = "Arkbird_SOLG"
        reference = "Internal Research"
        date = "2020-05-09"
        hash1 = "28aa296bda12f0184564c5f6b46e679f07255aa8df58b861ea17910cdcaa674a"
        hash2 = "03730cdc23a3d10c8752ad1464ff2e68a64c69f8310b0ceea4d52b1db0215dfc"
        hash3 = "edd590c343570f7576aca83da58967e058585c6ba861682dca2fc987c713ee3a"
        tlp = "White"
        adversary = "Donot"
   strings:
        $seq1 = { 65 63 68 6f 20 6f 66 66 0a 20 6d 64 20 25 73 20 0a 20 6d 64 20 25 73 20 0a 20 6d 64 20 25 73 20 0a 20 6d 64 20 25 73 20 0a 20 6d 64 20 25 73 20 0a 20 20 61 74 74 72 69 62 20 2b 61 20 2b 68 20 2b 73 20 25 73 20 0a 20 61 74 74 72 69 62 20 2b 61 20 2b 68 20 2b 73 20 25 73 20 0a 20 61 74 74 72 69 62 20 2b 61 20 2b 68 20 2b 73 20 25 73 20 0a 20 61 74 74 72 69 62 20 2b 61 20 2b 68 20 2b 73 20 25 73 20 0a 20 64 65 6c 20 2f 66 20 25 73 20 0a 20 53 45 54 20 2f 41 20 25 25 43 4f 4d 50 55 54 45 52 4e 41 4d 45 25 25 20 0a 20 53 45 54 20 2f 41 20 52 41 4e 44 3d 25 25 52 41 4e 44 4f 4d 25 25 20 31 30 30 30 30 20 2b 20 32 20 0a 20 65 63 68 6f 20 25 25 43 4f 4d 50 55 54 45 52 4e 41 4d 45 25 25 2d 25 25 52 41 4e 44 25 25 20 3e 3e 20 25 73 20 0a 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 4d 6f 62 55 70 64 61 74 65 20 2f 66 20 20 0a 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 54 61 73 6b 55 70 64 61 74 65 20 2f 66 20 0a 20 73 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 74 6e 20 4d 61 63 68 69 6e 65 43 6f 72 65 20 2f 66 20 0a 20 73 63 68 74 61 73 6b 73 20 2f 63 72 65 61 74 65 20 2f 73 63 20 6d 69 6e 75 74 65 20 2f 6d 6f 20 32 30 20 2f 66 20 2f 74 6e 20 54 61 73 6b 55 70 64 61 74 65 20 2f 74 72 20 25 73 20 20 0a 20 73 63 68 74 61 73 6b 73 20 2f 63 72 65 61 74 65 20 2f 73 63 20 6d 69 6e 75 74 65 20 2f 6d 6f 20 31 30 20 2f 66 20 2f 74 6e 20 4d 61 63 68 69 6e 65 43 6f 72 65 20 2f 74 72 20 25 73 20 0a 20 6d 6f 76 65 20 25 25 41 50 50 44 41 54 41 25 }
        $seq2 = { c7 44 24 10 00 00 00 00 c7 44 24 0c 00 00 00 00 c7 44 24 08 00 00 00 00 c7 44 24 04 00 00 00 00 c7 04 24 ?? 42 [2] e8 ?? 01 00 00 83 ec 14 [0-3] c7 44 24 14 00 00 00 00 c7 44 24 10 00 00 00 00 c7 44 24 0c 00 00 00 00 c7 44 24 08 00 00 00 00 [2-5] 24 04 [0-3] 89 04 24 e8 ?? 01 00 00 83 ec 18 89 [1-9] c7 44 24 04 ?? 43 [2] c7 04 24 ?? 61 [2] e8 ?? 08 00 00 }   
        $s1 = "VirtualQuery failed for %d bytes at address %p" fullword ascii
        $s2 = { 25 73 5c [1-14] 2e 62 61 74 }
        $s3 = { 25 73 5c [1-14] 25 }
   condition:
         uint16(0) == 0x5a4d and filesize > 10KB and all of ($seq*) and 2 of ($s*)
}
